Here's a counter argument: Virtualization is cool. It's great, in an environment, where you can increase the uptime and reliability of services. But for home, with a single host, virtualizing critical network infrastructure is... not advised imo. You see, if you have any hw/sw issue with the host, and it's gone, you will have no network at all, and no internet.
You always have the same issue if your hardware fails. No matter if virtual or direct set up, if opnsense is gone, your network is dead. For me no problem. I still have the old J3160 with opnsense installed and configured I can use, or I plug in one of the older Fritzbox 7490s I have, until I get the main machine back. If everything else fails, all I have to do is to shut down the NAS, plug in one of the spare SSDs with 250GB sitting around, plug a dual NIC PCIe-card in (Intel NICs), and install opnsense on the J5040 until I get the N100 replaced.
I also didn't like the idea of running opnsense in a vm, but with the new N100 and the SSDs not being supported by FreeBSD, it was the only way to install the software package. And now, after several months, I love this approach. The NICs are run in direct mode, opnsense runs stable, fast and high efficiency, and gives me multiple advantages over the bare metal approach:
I can create a snapshot of the vm and all configuration details, run a software upgrade of opnsense, and if it fails revert to the working backup. No need to reinstall it from scratch.
I can and have created a pure virtual subnet within Proxmox and now run multiple services on virtual machines, which proved to be problematic otherwise. Wireguard is one of them. There were or are problems with the implementation in opnsense. I often had network discruptions and had to reset the connection, which wasn't practical. Since I forward this to a small vm running wireguard-easy on docker, the problems are gone. And as bonus I can create QR-codes for WG-connections, scan them with the mobile phone and have a working VPN without any manual key exchange or setting other options.
I run Jdownloader in another VM and by doing this resolved a problem with the network stability at home. It was running on my NAS, and whenever I had a network disruption, all connections were lost and I had to start over. Now I run the program in a separate VM and outside of docker, which gives me the possibility to implement local AI routines for captcha solving, and I also installed uptime kumar (togehter with two other instances on other machines) to locate the network problem location.
My next idea of software to move to the central hub is the Dynamic DNS resolver and maybe some other local services which are required to keep connected to the internet but don't offer any dedicated local services. Tandoor (cooking) e.g. will for sure stay on the NAS.